By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

fix a critical security vulnerability that could potentially expose the sensitive Internet communications of millions of OpenSSL users.

Dubbed 'Heartbleed' by the researchers that uncovered it, the OpenSSL security vulnerability, CVE-2014-0160, was first introduced in December of 2011 and is the result of a missing bounds check in the handling of the TLS heartbeat extension. According to the OpenSSL security advisory, the OpenSSL flaw can expose up to 64KB of memory of any connected client or server.

The vulnerability threatens OpenSSL security in versions 1.0.1 through 1.0.1f, with the latest version, 1.0.1g, fixing the issue.

Even worse, an attacker taking advantage of the OpenSSL flaw could go undetected.

"We have tested some of our own services from [an] attacker's perspective. We attacked ourselves from outside, without leaving a trace," the researchers said. "This bug has left [a] large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation, and attacks leaving no trace, this exposure should be taken seriously."

The researchers went on to warn that any sensitive communications that may have been intercepted in the past could still be in the hands of attackers, meaning that in addition to implementing the patched version of OpenSSL, organizations must also revoke potentially compromised keys, issue new keys, and change passwords.

OpenSSL is found in open source Web servers like Apache and nginx, which when combined, make up more than two-thirds of active sites, according to the latest figures from analysis firm Netcraft, as well as a number of Linux distributors, including Ubuntu 12.04.4 LTS, Fedora 18 and Debian Wheezy.

San Francisco-based content delivery network and distributed denial-of-service mitigation provider CloudFlare Inc. also utilizes OpenSSL, but according to a blog post by engineer Nick Sullivan, the company was able to fix the vulnerability last week, as key Internet stakeholders were informed of the OpenSSL security issues ahead of the general public.

"All sites that use CloudFlare for SSL have received this fix and are automatically protected," Sullivan said.

Despite apparent early warnings to administrators of key websites, several of the world's most prominent websites were vulnerable as news of Heartbleed went public. Example screenshots posted to Twitter, for example, showed Yahoo releasing login and password credentials.

For organizations that can't update their OpenSSL implementations immediately and may be vulnerable to Heartbleed exploits, the researchers suggested enterprises train their intrusion prevention/detection systems (IDS/IPS) "to detect use of the heartbeat request" based on a comparison of the size of such a request against the size of the corresponding reply. "This seems to imply that IDS/IPS can be programmed to detect the attack but not to block it unless heartbeat requests are blocked altogether," the researchers said. Netherlands-based incident response and monitoring firm Fox-IT offered up some signatures for the popular open source IDS Snort, though the company's blog post warned that the rules might generate some false positives.

However, the critical nature of the data protected by OpenSSL security implementations means organizations shouldn't rely on such measures longer than is absolutely necessary.

"Heartbleed is a rare bug: a failure in a crypto library that leaks data beyond what it's protecting," said Matt Blaze, associate professor at the University of Pennsylvania and cryptographic researcher, on Twitter. "So worse than no crypto at all."

5 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

The flaw has to do with the TLS heartbeat extension a remote attacker could exploit this flaw to repeatedly reveal 64K of memory contents from a SSL/TLS connected client or server 64K of memory might seem small an attacker could repeatedly exploit this flaw to gather enough contents from memory to compromise SSL key material, certificates, usernames, passwords, and potentially gain access to your entire decrypted communications